hlxsites · JBakstPaloAlto · Aug 21, 2024 · Aug 19, 2024 · Aug 19, 2024 · Aug 19, 2024
diff --git a/...se-edition/content-collections/_graphics/governance/custom-build-policy-iac.png b/...se-edition/content-collections/_graphics/governance/custom-build-policy-iac.png
diff --git a/...e-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/...e-edition/content-collections/governance/custom-build-policies/code-editor.adoc
@@ -22,7 +22,7 @@ definition:
      value: "0"
 
 
-For instructions on how to use the type of Attribute with key and values see in the table.
+The table below provides instructions on how to use Attributes with matching keys and values.
 
 [cols="1,2,3", options="header"]
 |===
@@ -53,7 +53,7 @@ For instructions on how to use the type of Attribute with key and values see in
 |===
 
 
-For instructions on how to use Attribute Operators see in the table.
+The table below provides instructions on how to use Attribute Operators.
 
 [cols="1,1", options="header"]
 |===
@@ -164,7 +164,7 @@ definition:
        operator: "exists"
 
 
-For instructions on how to use the type of Connection State with key and values see in the table.
+The table below provides instructions on how to use Connection State types.
 
 [cols="1,2,3", options="header"]
 |===
@@ -191,7 +191,7 @@ For instructions on how to use the type of Connection State with key and values
 |===
 
 
-For instructions on how to use Connection State Operators see in the table.
+The table below provides instructions on how to use Connection State Operators.
 
 [cols="1,2", options="header"]
 |===
@@ -386,15 +386,15 @@ For every test, the console displays up to 30 results. Each time you test your c
 //+
 //image::governance/code-editor-3.png
 +
-You also review the results for more details on the impacted resource and misconfiguration.
-+
-In this example you see the contextualized information about an impacted resource from your custom code.
+You can also review the results for more details on the impacted resource and misconfiguration.
+//+
+//In this example you see the contextualized information about an impacted resource from your custom code.
 //+
 //image::governance/code-editor-4.png
 +
 If there are errors in your custom code during a test, the console displays a solution.
-+
-In this example, you see solution for the errors from your code.
+//+
+//In this example, you see solution for the errors from your code.
 //+
 //image::governance/code-editor-5.png
 

diff --git a/...content-collections/governance/custom-build-policies/custom-build-policies.adoc b/...content-collections/governance/custom-build-policies/custom-build-policies.adoc
@@ -6,6 +6,7 @@ Prisma Cloud includes out-of-the-box policies that enable you to detect misconfi
 You can create custom build policies for the following frameworks:
 
 * *Terraform* - Policies written using Terraform attributes will apply for Terraform (.tf and plan files).
+* *Bicep*: Policies defined using Bicep resources and attributes will apply for tailored Azure Bicep resource governance.
 * *CloudFormation* - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK).
 * *Kubernetes* - Policies written using Kubernetes attributes will apply for Kubernetes, Helm, and Kustomize.
 

diff --git a/...-collections/governance/custom-build-policies/custom-build-policy-examples.adoc b/...-collections/governance/custom-build-policies/custom-build-policy-examples.adoc
@@ -2,12 +2,59 @@
 
 To create code-based policies for your infrastructure, use these examples as guidance. They showcase how to use different attributes for working with IaC templates.
 
+* <<bicep-example,Bicep Example>>
 * <<terraform-examples, Terraform Examples>>
 * <<cloudformation-examples, Cloud Formation Examples>>
 * <<kubernetes-examples,Kubernetes Examples>>
 * <<ss-examples,Secrets Security Examples >>
 * <<#resource-blocklist,Resource Control - Blocklist Example>>
 
+[#bicep-example]
+=== Bicep Example
+
+The following example demonstrates how to create a Bicep policy.
+
+----
+metadata:
+  name: "Ensure that auditing is set to on for SQL servers"
+  guidelines: "..."
+  category: "logging"
+definition:
+  and:
+    - cond_type: filter
+      attribute: resource_type
+      operator: within
+      value:
+        - Microsoft.Sql/servers
+        - Microsoft.Sql/servers/databases
+    - or:
+        - and:
+            - cond_type: connection
+              resource_types:
+                - Microsoft.Sql/servers
+              connected_resource_types:
+                - Microsoft.Sql/servers/auditingSettings
+              operator: exists
+            - cond_type: attribute
+              resource_types:
+                - Microsoft.Sql/servers/auditingSettings
+              attribute: properties.state
+              operator: equals
+              value: Enabled
+        - and:
+            - cond_type: connection
+              resource_types:
+                - Microsoft.Sql/servers/databases
+              connected_resource_types:
+                - Microsoft.Sql/servers/databases/auditingSettings
+              operator: exists
+            - cond_type: attribute
+              resource_types:
+                - Microsoft.Sql/servers/databases/auditingSettings
+              attribute: properties.state
+              operator: equals
+              value: Enabled
+----
 
 [#terraform-examples]
 === Terraform Examples
@@ -729,4 +776,4 @@ definition:
   resource_types:
     - "aws_sagemaker_model"
   operator: "not_exists"
-----
+----
diff --git a/...edition/content-collections/governance/custom-build-policies/visual-editor.adoc b/...edition/content-collections/governance/custom-build-policies/visual-editor.adoc
@@ -4,85 +4,91 @@
 
 == Visual Editor
 
-Prisma Cloud supports the capability of a Visual Editor where you can create custom build policies for  your templates using the existing fields.
-The Visual Editor is a suitable option when you want to create custom policies that include Attribute checks with a support of AND/OR logic.
-To help you create a custom policy using the Visual Editor, you will see an example of custom build policy for S3 Bucket ACL where log delivery is not recommended.
-
+The 'Visual Editor' supports custom build policies for *IaC*, *Secrets* and *Licenses*, using Attribute checks that support of AND/OR logic.
 
 [.procedure]
 
-.. Select *Policies > Add Policy > Config > Add Policy Details* and then select *Next*.
+. Under *Governance*, select *Add Policy* > *Config*.
+. Fill in the fields in the *Add Details* step of the wizard (refer to xref:custom-build-policies.adoc[Custom Build Policies])> *Next*.
 +
-In this example, you see the policy details for S3 Bucket ACL where log delivery is not recommended.
+The *IaC Policy Code Editor* is displayed by default in the *Create query* step of the wizard. 
+//+
+//In this example, you see the policy details for S3 Bucket ACL where log delivery is not recommended.
 //+
 //image::governance/visual-editor.png
+//+
+//Code Editor appears as a default view.
+
+. Select *Visual Editor* from the menu. 
+. Select a policy type.  
+
+. Configure the policy by selecting values in the provided fields.
++
+* For Licenses, select a license type. Multiple types are supported
++
+* For Secrets, add a Regular expression. Multiple 'OR' expressions are supported
 +
-Code Editor appears as a default view.
+* For IaC, see <<configure-iac,Configure Iac Custom Build Policies>> below  
++
+NOTE: Test scans are only supported for IaC policies.
 
-.. Select *Visual Editor*.
-//+
-//image::governance/visual-editor-1.png
+. Select *Next* to access Compliance Standards, and complete the process for creating a custom Build-time check policy (refer to xref:custom-build-policies.adoc[Custom Build Policies]).
 
-. Select *Category* *Type*.
+
+[.task]
+[#configure-iac]
+=== Configure IaC Custom Build Policies
+
+Limitation: The Visual Editor supports policy creation for Prisma Cloud's supported cloud service providers. For unsupported providers, use the Code Editor.
+
+[.procedure]
+. Repeat steps 1-4 above, selecting IaC as the policy type.
+. Select *Category Type*.
 +
-*Category Type* is where the policy is grouped based on either Elasticsearch, General, IAM, Kubernetes, Logging, Monitoring, Networking, Public, Secrets, Serverless, Storage and Vulnerabilities. You can use the category type to search or filter specific policies.
+Policies are categorized by type. Options include Elasticsearch, General, IAM, Kubernetes, Logging, Monitoring, Networking, Public, Secrets, Serverless, Storage, and Vulnerabilities. 
 //+
 //image::governance/visual-editor-2.png
 
-. Select *Cloud Provider*.
+. Select the target *Framework*.
 +
-You can create rules only for Cloud Service Providers that are supported on Prisma Cloud.
-//+
-//image::governance/visual-editor-3.png
+NOTE: Framework options include: Terraform, Kubernetes, CloudFormation and Bicep.
 
-. Select *Resource Type*.
-+
-Resource Type is relevant to the selection of the Cloud Provider. You can also add the syntax of the resource to search for the same.
-//+
-//image::governance/visual-editor-4.png
-+
-In this example add s3 to and you should be able to locate relevant resources.
-//+
-//image::governance/visual-editor-5.png
+. Select a *Cloud Provider*.
 
-. Select *Attribute*, *Operator* and then add *Value* for the query.
+. Select a *Resource Type*.
 +
-The query defines the match condition to verify if  a resource does contain a specific value, or if the specific value exists.
-//+
-//image::governance/visual-editor-6.png
+NOTE: The Cloud Provider selection determines the available Resource Types and their corresponding syntax.
+
+. Create a query: Select an *Attribute*, *Operator* and add a *Value*.
 +
-In this example the query for S3 Bucket ACL policy will include *Attribute* as `acl`, the *Operator* is `Not equals` and the *Value* is `log-delivery-write`.
-//+
-//image::governance/visual-editor-7.png
+This query defines the matching condition to check if a resource contains a specific value or if a specific value exists.
 +
-See <<examples-on-custom-policies,examples on custom policies>> for more examples.
+NOTE: This query type allows users to build complex search criteria using multiple attribute-operator-value combinations. The initial query supports both AND and OR conditions for flexible filtering. You can further refine results by applying additional logic, providing granular control over data retrieval.
+
+. Select *Scan* to verify your custom IaC code.
 +
-NOTE: The Custom Policy "aws-networking-deny-public-ssh" uses 2 rules with arguments for cidr_blocks and to_port. You can create multiple  nested arguments for this policy. In this example,  to express a more complex ingress policy for an AWS security group you can use arguments like; `ingress.from_port`, `ingress.to_port`, `ingress.protocol`, `ingress.cidr_blocks`.
+If your custom IaC code contains no errors, Prisma Cloud will display up to 30 resource results.
 +
-You can use And/OR logic to create a  rule with more than one query.
+The following screenshot displays an example of results returned by a verified IaC policy.
 +
-A policy may include layers of defined Attributes and Connection State, or both. To define the connection between the two AND/OR logic is used.
+image::governance/custom-build-policy-iac.png[]
+
+
+
+
+
 
-In this example you see the AND logic used.
-//+
-//image::governance/visual-editor-8.png
 
-. Select *Test* to verify your custom code.
-+
-If your custom code has no error, Prisma Cloud will display 30 resource results.
-+
-In this example, you see results for the S3 Bucket ACL query.
-//+
-//image::governance/visual-editor-9.png
 
-. Select *Next* to access Compliance Standards and to complete the process to create a custom Build-time check policy.
 //+
 //image::governance/visual-editor-10.png
+////
 +
 NOTE: You are in Step 2 of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console.
 
+
 [#examples-on-custom-policies]
-=== Examples on Custom Policies
+=== Custom Build Policies Examples
 
 [cols="3,2,1,1,1,1", options="header"]
 |===
@@ -127,3 +133,22 @@ NOTE: You are in Step 2 of Create Custom Policies for Build-Time Checks. You are
 
 
 
+//was under query builder
+//+
+//image::governance/visual-editor-6.png
+//+
+//In this example the query for S3 Bucket ACL policy will include *Attribute* as `acl`, the *Operator* is `Not equals` and the *Value* is `log-delivery-write`.
+//+
+//image::governance/visual-editor-7.png
+//+
+////+
+NOTE: The Custom Policy "aws-networking-deny-public-ssh" uses 2 rules with arguments for cidr_blocks and to_port. You can create multiple  nested arguments for this policy. In this example,  to express a more complex ingress policy for an AWS security group you can use arguments like; `ingress.from_port`, `ingress.to_port`, `ingress.protocol`, `ingress.cidr_blocks`.
++
+You can use And/OR logic to create a  rule with more than one query.
++
+A policy may include layers of defined Attributes and Connection State, or both. To define the connection between the two AND/OR logic is used.
+
+In this example you see the AND logic used.
+////
+//+
+//image::governance/visual-editor-8.png